The White House has published the National Strategy for Trusted Identities in Cyberspace (NSTIC), which provides guidance for an Internet identity system to be designed and built by the private sector. The plan comes nearly two years after the White House first released its Cyberspace Policy Review, which set forth a national plan for Internet identities. In 2010, the White House released the draft NSTIC, and accepted public comments via an online forum. EPIC responded with comments that emphasized the need for strong privacy safeguards for Internet users. "The President endorsed 'Privacy Enhancing Technologies' for online credentials. That is historic," said EPIC Executive Director Marc Rotenberg today. "But online identity is complex problem and the risk of 'cyber-identity theft' with consolidated identity systems is very real. The US will need to do more to protect online privacy." In a press release, the White House emphasized that NSTIC should be privacy-enhancing and voluntary, interoperable, and cost-effective. For more information, see EPIC: National Strategy for Trusted Identities in Cyberspace.

EPIC filed comments urging the Federal Trade Commission to improve the Childrens' Online Privacy Protection Act Rule. The rule is the principal federal protection for childrens' privacy, and limits how companies may collect and disclose childrens' personal information. "The need for the COPPA Rule has become increasingly urgent in light of new business practices and recent technological developments, such as social networking sites and mobile devices," EPIC wrote. "Existing provisions need to be strengthened and new provisions need to be added." In April, EPIC testified before Congress concerning childrens' privacy. For more, see EPIC: COPPA and EPIC: FTC.

EPIC President Marc Rotenberg
testified today before the Senate
Commerce Committee. He said that "COPPA did not anticipate the
immersive online experience that a social network service would
provide or the extensive data collection of both the trivial and the
intimate information that children would share with friends." Mr.
Rotenberg also pointed to the FTC's failure to enforce children's privacy
rights despite clear-cut violations of the fedral law. EPIC recommended updates that
would expand COPPA protections to teens and clarify the law's
application to mobile and social network services. EPIC'S press release can be found here. For more, see EPIC: COPPA

Background

History

In 1999, Microsoft announced plans to use its Passport service to authenticate subscribers in online transactions with affiliate companies. In July, 2001, EPIC filed a complaint with the Federal Trade Commission (updated and re-filed in August 2001), alleging that Microsoft Passport violated the Federal Trade Commission Act, which prohibits unfair or deceptive trade practices.

Microsoft Passport was the first large-scale use of an "Internet credential" system to authenticate a user's identity. Passport was a cookie-based service that allowed users to use a single, core log-in to verify identity without requiring the user to sign up for a new account with each service they wanted to use. EPIC's complaint pointed out that Microsoft encouraged its users to sign up for the service and represented that the service protected privacy and complied with the Children's Online Privacy Protection Act (COPPA). However, in reality Passport was facilitating the tracking and monitoring of its users by signing up all Microsoft Hotmail users for the service without the availability of an opt-out, not allowing individuals to delete their accounts, sharing user e-mail addresses with third parties by default, and neglecting key provisions of COPPA.

Based on EPIC's complaint, the FTC took action and negotiated a Consent Order that broadly required Microsoft to build in protections for the use of personal information, including e-mail addresses, persistent identifiers in cookies, and embedded identifiers, for any and all authentication systems that Microsoft offered, presently or in the future. In addition, for a period of 20 years (until 2022) Microsoft is required to fully disclose all information collection and use practices, develop a comprehensive security program and obtain third-party review of it, and maintain all Passport marketing materials for FTC review.

Modern Digital Identities

Since Passport, numerous "digital identity" credentialing services have emerged. In 2005, OpenID was developed (initially referred to as Yadis), as an open-source Credential service, at first only for comments on LiveJournal and its affiliates, though it expanded quickly, and is perhaps the most prevalent service offered today, employed by websites like Google, Yahoo, and Paypal. Another popular identity service emerged in 2008, when Facebook launched Facebook Connect and enabled users to "share their information with the third party websites and applications they choose." Any of Facebook's 600 million users can use their Facebook log-in information to connect to different of networks, such as Pandora, both around the Internet and on mobile apps. As of 2011, other identity services included Kantara, OASIS, and CardSpace.

Despite their growing prevalence, privacy problems with identity services remain, particularly when users are coerced into using a service by market pressure or when an identity service allows users to be tracked in order to predict or control their behavior. The biggest risk is what can happen if an open identity is phished or compromised. Unlike the traditional system, where a compromised password will only expose the single account to which it is attached, if a hacker or other individual finds a way to access a user's credential, they will be able to wreck havoc on a much wider scale.

On May 29, 2009, the White House published the Cyberspace Policy Review. The Review set forth an objective for a national plan for a public secure Internet identification program:

"The Federal government - in collaboration with industry and the civil liberties and privacy communities - should build a cyber security-based identity management vision and strategy for the Nation that considers an array of approaches, including privacy-enhancing technologies. The Federal government must interact with citizens through a myriad of information, services and benefit programs and thus has no interest in the protection of the public's private information as well."

Based on the White House's recommendations, an inter-agency writing team developed and released a Draft plan of the National Strategy for Trusted Identities in Cyberspace (NSTIC) in June 2010. NSTIC is seen as an acceleration and expansion of the initiatives developed by ICAM to the public domain. The Draft identified what it called the Identity Ecosystem - "a user-centric online environment, a set of technologies, policies, and agreed upon standards that securely supports transactions ranging from anonymous to fully authenticated and from low to high value." The Draft was published on IdeaScale, and was open for the public to submit comments. (The page has since been removed, though MSNBC has maintained a screenshot.)

EPIC Responded to the Draft NSTIC with a formal statement on the unique challenges the proposal presented for the continued protection of privacy and consumer rights. EPIC emphasized the need for:

A complete enumeration of the sources of the problems identified in the draft

A clear plan for privacy protection

A strategy for the protection of private communications by fair information practices

The assignment of responsibility of government agencies to oversee authorities, courts, and credential users regarding constitutional rights

The assurance that Internet users can continue to create, control, and own web content.

EPIC also emphasized the importance of applying Fair Information Practices to all personally identifiable information that is collected, retained or used, and recommended an explicit statutory provision that would apply protections in the Federal Privacy Act to all credential-related information.

On January 7, 2011, White House Cybersecurity Coordinator, Howard Schmidt and Commerce Secretary Gary Locke appeared at an event at Stanford University in California. In his speech, Locke detailed many potential threats on the Internet, claiming that the "cyber threat" was "one of the most serious economic and national security challenges we face as a nation." In order to lead the government's efforts on digital identity, Locke announced the creation of a National Program Office at the Department of Commerce, housed under the National Institute for Standards and Technology (NIST), that would be responsible for a digital identity framework.

As described by Secretary Locke in his announcement: The new Program Office would spearhead the development of NSTIC, though implementation would be outsourced to the private market, eliminating the need for a single overseer or a central database. (However, because the federal government will not be maintaining the databases of information, they will not be subject to the protections provided in the Federal Privacy Act of 1974). The digital identity program is also designed to be entirely voluntary to users. In addition to private industry, the General Services Administration and the Department of Homeland Security were also slated to assist with development of the new programs.

The National Strategy for Trusted Identities in Cyberspace

The White House's National Strategy for Trusted Identities in Cyberspace was released on April 15, 2011 during a formal event at the U.S. Chamber of Commerce. The Strategy is housed at the National Institute for Standards and Technology (NIST) within the Department of Commerce, where a new Program Office has been created. The Program Office is currently headed by Jeremy Grant, former co-chair of the Identity Management Committee at TechAmerica.

As an aspirational document, the NSTIC makes many promising statements. Among these is a often repeated promise to "enhance" privacy and security in online transactions. Much like the preceding draft document, the NSTIC emphasizes the role of the private sector as the "primary developer, implementer, owner, and operator of the Identity Ecosystem."

The NSTIC identifies four parties that will contribute to transactions under the Identity Ecosystem:

An individual or non-person entity is the party seeking to engage in an online transaction and the owner of the credential at issue in the transaction.

An identity provider (IDP) "is responsible for establishing, maintaining, and securing the digital identity associated" with an individual or non-person entity, including "revoking, suspending, and restoring the subject's digital identity if necessary."

An attribute provider (AP) "is responsible for the processes associated with establishing and maintaining identity attributes [...] including validating, updating, and revoking the attribute claim.

A relying party (RP) is the party with which the individual or non-person entity wishes to transact. "Within the Identity Ecosystem, the relying party selects and trusts the identity and attribute providers of their choice, based on the risk of credential types and identity media."

In addition, the document calls for the incorporation of clear rules and guidelines based on eight best practices, which the document defines in an Appendix. Though these practices are to "address not only the circumstances under which a service provider or relying party may share information but also the kinds of information that they may collect and how that information is used," the NSTIC does not mandate the practices to be implemented as they are defined within it:

Individual Participation: Organizations should involve the individual in the process of using PII and, to the extent practicable, seek individual consent for the collection, use, dissemination, and maintenance of PII. Organizations should also provide mechanisms for appropriate access, correction, and redress regarding use of PII.

Purpose Specification: Organizations should specifically articulate the authority that permits the collection of PII and specifically articulate the purpose or purposes for which the PII is intended to be used.

Data Minimization: Organizations should only collect PII that is directly relevant and necessary to accomplish the specified purpose(s) and only retain PII for as long as is necessary to fulfill the specified purpose(s).

Use Limitation: Organizations should use PII solely for the purpose(s) specified in the notice. Sharing PII should be for a purpose compatible with the purpose for which the PII was collected.

Data Quality and Integrity: Organizations should, to the extent practicable, ensure that PII is accurate, relevant, timely, and complete.

Security: Organizations should protect PII (in all media) through appropriate security safeguards against risks such as loss, unauthorized access or use, destruction, modification, or unintended or inappropriate disclosure.

Accountability and Auditing: Organizations should be accountable for complying with these principles, providing training to all employees and contractors who use PII, and auditing the actual use of PII to demonstrate compliance with these principles and all applicable privacy protection requirements.

The final major call in the NSTIC is for a "trustmark scheme" for parties within the Identity Ecosystem, provided for by one or more private-sector accreditation authorities, and policed by a public-private steering group, to ensure "minimum requirements of the Identity Ecosystem Framework" are met. The trustmark is to represent the application of a single privacy and service framework to all entities who bear it.

Implementation of the NSTIC

Following the release of the NSTIC, the government has sponsored a series of Workshops, aimed at brainstorming solutions and confronting problems with the NSTIC implementation. The first Workshop as focused on issues with Governance and was held in Washington, D.C. on June 9-10, 2011. After the Workshop, a Notice of Inquiry was issued on "Models for a Governance Structure for the National Strategy for Trusted Identities in Cyberspace." The deadline for the NOI is July 22, 2011.

The second Workshop was held on June 27-28, 2011 at MIT in Cambridge, Massachusetts to examine Privacy in the NSTIC. A third Workshop focused on technology solutions has not yet been scheduled, but is expected to be held in the California Bay Area in September, 2011.